Custom meta in an ESA rule enriches the rule. This makes investigation more efficient by:
- Providing more informative results
- Reducing the number of alerts triggered because of false-positive findings.
After you set up and deploy the rule with the custom meta, you use it to conduct an investigation in the same manner as any ESA alert. The following examples illustrate how to view:
- A summary of all the alerts triggered by this rule over a specified time period.
- Meta details for a single event that triggered alert.
View ESA Alerts
After you deploy an ESA rule, it runs continuously. You can view the alerts generated by these rules to conduct an investigation. Refer to View ESA Stats and Alerts topic in the Alerting Using ESA Guide for detailed instructions.
Summary of Alerts Triggered by Rule for Specified Time Period
The following example shows a summary of all the alerts triggered by the Critical resource accessed from Suspicious country rule over the period of the last two days.